Overview

overview

10

Static

static

7

4fd0c9d8fa...66.exe

windows7-x64

10

4fd0c9d8fa...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4fd0c9d8fafa4d4f81d0d70ca966e7921c4736c4dfef9051af3fc1ccf20f3966.exe

  • Size

    3.8MB

  • MD5

    09e5c6db3ddafacd61fd8231a55b08ad

  • SHA1

    a4444b5029718fcf540a92a8d7f7cf55dd462198

  • SHA256

    4fd0c9d8fafa4d4f81d0d70ca966e7921c4736c4dfef9051af3fc1ccf20f3966

  • SHA512

    44e673d66bc55fa547c8f14040299328af698de9782121f64ed86ecd1dc1c8ca85ae911deac60438b73c3d9be568ab7fe6244636d85895fe660e15b66fd0b727

  • SSDEEP

    98304:3Vde8FivCeGDRsiSc/XBgZrzyWGgRSL6O2jSk6adBNWuz+VRD0MbQT:HZFwAur6XBazEgRSSjS5aT1z+/D0yQT

Score
10/10
raccoon540b1db0b12b23e63e6942952aa03e47discoveryevasionspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

raccoon

Botnet

540b1db0b12b23e63e6942952aa03e47

C2

http://45.9.74.36/

http://45.9.74.34/
rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fd0c9d8fafa4d4f81d0d70ca966e7921c4736c4dfef9051af3fc1ccf20f3966.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd0c9d8fafa4d4f81d0d70ca966e7921c4736c4dfef9051af3fc1ccf20f3966.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Users\Admin\AppData\Roaming\Ooz9hTX7.exe
      "C:\Users\Admin\AppData\Roaming\Ooz9hTX7.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:3844
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:3852
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:3928
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /CREATE /TN "regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1" /TR "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe" /SC MINUTE
          4⤵
          • Creates scheduled task(s)
          PID:3384
        • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe
          "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:636
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 280
        3⤵
        • Program crash
        PID:4052
    • C:\Users\Admin\AppData\Roaming\74vJ6qcA.exe
      "C:\Users\Admin\AppData\Roaming\74vJ6qcA.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\74vJ6qcA.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 0
          4⤵
            PID:1864
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4968 -ip 4968
      1⤵
        PID:948
      • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe
        C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:1248

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      File Permissions Modification

      1
      T1222

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe
        Filesize

        312.1MB

        MD5

        9abae28758c074bb926c69dc76cf77fb

        SHA1

        0ecfa6df66eb56dec1475e8e7a8e70507d6798db

        SHA256

        b5cb5596f0904e61717f6724447762b2bc0ebd9645aad73cdf41e0fcd11ee80c

        SHA512

        df3092c649f255d3a10197923c167b29d08a62feffb47c71c6551e18dd78bb6bcde82c96773d54b06d08c94f2c2a5d20da8582666135b9731732e93edbca614e

        Download Submit
      • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe
        Filesize

        319.1MB

        MD5

        7e39218faeea906dbd2c030f28fa0132

        SHA1

        6e9dff5d40f51f770a07f48711ba18d6a749492a

        SHA256

        f772b2a7d6b90f4acd94402988bc0760b28771be2c6db2be9e89b2f5eed85d26

        SHA512

        231cb28560ae840b9732d35ab0cf27784afd0c57c74d8733cda491bef2f17144939cff3b48485cea321b9daacd9d7e1ef634add3b6fdc5355106bc3592d5215d

        Download Submit
      • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe
        Filesize

        342.9MB

        MD5

        985dc720a8bb5f91c6907cd36ba54337

        SHA1

        0bfcea424b6cb8bba8d189bb6b9c157d76b84339

        SHA256

        958e522df8967e541ccf65d69e88477ee40387534061ec3c0aca8b7d5d585152

        SHA512

        beb5f7718542c6328bf5b0a593bc5460e45d2dfba114a250773f7861852c091c8dd461bc7fc52ed5b9e23c48f6e924aeb9eb2cc2e40399c94be83ef53ff250b1

        Download Submit
      • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1\regid.1991-06.com.microsoftMicrosoft-type3.6.4.1.exe
        Filesize

        254.5MB

        MD5

        b8648c1e5f7925ee11319dd68dd04e0e

        SHA1

        6fc998bd55ab556d2b636c22c1abb38d9499268d

        SHA256

        37ae6aefab5f7003d1531f56c6ecc0f91969f3b9547cd1fcf19519dd722e0ba3

        SHA512

        ee70daf76b4470236fa97273d9e4e6af2d5e29351bd79ff03e7200230c6a446967189b14d3a4086af9db85517dd5211c91201f83ef318d883e31a49eef173503

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\mozglue.dll
        Filesize

        612KB

        MD5

        f07d9977430e762b563eaadc2b94bbfa

        SHA1

        da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

        SHA256

        4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

        SHA512

        6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\nss3.dll
        Filesize

        1.9MB

        MD5

        f67d08e8c02574cbc2f1122c53bfb976

        SHA1

        6522992957e7e4d074947cad63189f308a80fcf2

        SHA256

        c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

        SHA512

        2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\sqlite3.dll
        Filesize

        1.0MB

        MD5

        dbf4f8dcefb8056dc6bae4b67ff810ce

        SHA1

        bbac1dd8a07c6069415c04b62747d794736d0689

        SHA256

        47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

        SHA512

        b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\74vJ6qcA.exe
        Filesize

        13.9MB

        MD5

        809fd08e5f79d466a9246b7a793f691d

        SHA1

        3256eca2d1638d421bc53cbfcca50effc18b5cec

        SHA256

        b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

        SHA512

        93192b344bc02daa6b81e0ea8b009ffe8e193ec2561678620e0efde39b4a0b43b00db4c1bea5a1859318bb91d3d66fc806130cee139b7b2d6a7951401d329c53

        Download Submit
      • C:\Users\Admin\AppData\Roaming\74vJ6qcA.exe
        Filesize

        13.9MB

        MD5

        809fd08e5f79d466a9246b7a793f691d

        SHA1

        3256eca2d1638d421bc53cbfcca50effc18b5cec

        SHA256

        b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

        SHA512

        93192b344bc02daa6b81e0ea8b009ffe8e193ec2561678620e0efde39b4a0b43b00db4c1bea5a1859318bb91d3d66fc806130cee139b7b2d6a7951401d329c53

        Download Submit
      • C:\Users\Admin\AppData\Roaming\74vJ6qcA.exe
        Filesize

        13.9MB

        MD5

        809fd08e5f79d466a9246b7a793f691d

        SHA1

        3256eca2d1638d421bc53cbfcca50effc18b5cec

        SHA256

        b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

        SHA512

        93192b344bc02daa6b81e0ea8b009ffe8e193ec2561678620e0efde39b4a0b43b00db4c1bea5a1859318bb91d3d66fc806130cee139b7b2d6a7951401d329c53

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Ooz9hTX7.exe
        Filesize

        3.4MB

        MD5

        03e57c419d5bf3221c69a098085f9ff2

        SHA1

        a7d708e9f356be139f90c2db787939e9a5eb4f2e

        SHA256

        f14ff29c31fb7f6a27e75f925000475fd103a924466a55426e1ea314870df500

        SHA512

        8c8fab2114e5d05d3d5c85558e4e7480fb93e210bc1dadc001131c2292034083f7920721396ffeedba65cdb0dcde0faee2b36f05e2e46b06749564dd5c398a83

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Ooz9hTX7.exe
        Filesize

        3.4MB

        MD5

        03e57c419d5bf3221c69a098085f9ff2

        SHA1

        a7d708e9f356be139f90c2db787939e9a5eb4f2e

        SHA256

        f14ff29c31fb7f6a27e75f925000475fd103a924466a55426e1ea314870df500

        SHA512

        8c8fab2114e5d05d3d5c85558e4e7480fb93e210bc1dadc001131c2292034083f7920721396ffeedba65cdb0dcde0faee2b36f05e2e46b06749564dd5c398a83

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Ooz9hTX7.exe
        Filesize

        3.4MB

        MD5

        03e57c419d5bf3221c69a098085f9ff2

        SHA1

        a7d708e9f356be139f90c2db787939e9a5eb4f2e

        SHA256

        f14ff29c31fb7f6a27e75f925000475fd103a924466a55426e1ea314870df500

        SHA512

        8c8fab2114e5d05d3d5c85558e4e7480fb93e210bc1dadc001131c2292034083f7920721396ffeedba65cdb0dcde0faee2b36f05e2e46b06749564dd5c398a83

        Download Submit
      • memory/320-197-0x0000000004F70000-0x0000000005002000-memory.dmp
        Filesize

        584KB

        Download
      • memory/320-203-0x0000000005100000-0x000000000510A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/320-209-0x0000000004F00000-0x0000000004F10000-memory.dmp
        Filesize

        64KB

        Download
      • memory/320-196-0x0000000005480000-0x0000000005A24000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/320-211-0x0000000004F00000-0x0000000004F10000-memory.dmp
        Filesize

        64KB

        Download
      • memory/320-212-0x0000000004F00000-0x0000000004F10000-memory.dmp
        Filesize

        64KB

        Download
      • memory/320-213-0x0000000004F00000-0x0000000004F10000-memory.dmp
        Filesize

        64KB

        Download
      • memory/320-191-0x0000000000740000-0x0000000000A9C000-memory.dmp
        Filesize

        3.4MB

        Download
      • memory/636-223-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/636-222-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/636-225-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/636-226-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/1248-228-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/1248-229-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/1248-230-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/1248-231-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/1248-232-0x00007FF76A250000-0x00007FF76A76F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/3236-133-0x0000000000400000-0x000000000091F000-memory.dmp
        Filesize

        5.1MB

        Download
      • memory/3236-179-0x0000000061E00000-0x0000000061EF1000-memory.dmp
        Filesize

        964KB

        Download
      • memory/3940-210-0x0000000000F50000-0x0000000001DA0000-memory.dmp
        Filesize

        14.3MB

        Download